I have been asked recently to undertake some security improvements for an Insurance Company, one of these requirements is to disable SSL 2.0 – details on how to do this are below:
http://support.microsoft.com/kb/187498 – this article contains a fix it for me button, so you don’t have to run through the following procedure, but I like to know what is happening with my servers.
The instructions are pretty easy to do.
1.Click Start, click Run, type regedt32 or type regedit, and then click OK.
2.In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server
3.On the Edit menu, click Add Value.
4.In the Data Type list, click DWORD.
5.In the Value Name box, type Enabled, and then click OK.
Note If this value is present, double-click the value to edit its current value.
6.Type 00000000 in Binary Editor to set the value of the new key equal to “0”.
7.Click OK. Restart the computer.
Do the same for SSL 2.0
Now keep in mind that while this will make the server PCI worthy, I don’t see it as a specific line item on this checklist – https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
It’s specifically mentioned in the Approved Scanning Vendors document, so it is more than just best practice: www.pcisecuritystandards.org/…/pci_dss_technical_and_operational_requirements_for_approved_scanning_vendors_ASVs_v1-1.pdf
A component must be considered non-compliant if the installed SSL version is limited to Version 2.0, or older. SSL must be a more recent version than 2.0